From mboxrd@z Thu Jan 1 00:00:00 1970 From: David Miller Subject: Re: [RFC ipsec-next 3/4] net: xfrm: support multiple VTI tunnels Date: Mon, 18 Dec 2017 12:56:42 -0500 (EST) Message-ID: <20171218.125642.639075398593924537.davem@davemloft.net> References: <20171218161656.40618-1-lorenzo@google.com> <20171218161656.40618-4-lorenzo@google.com> Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: netdev@vger.kernel.org, steffen.klassert@secunet.com, subashab@codeaurora.org, nharold@google.com To: lorenzo@google.com Return-path: Received: from shards.monkeyblade.net ([184.105.139.130]:38618 "EHLO shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S934334AbdLRR4w (ORCPT ); Mon, 18 Dec 2017 12:56:52 -0500 In-Reply-To: <20171218161656.40618-4-lorenzo@google.com> Sender: netdev-owner@vger.kernel.org List-ID: From: Lorenzo Colitti Date: Tue, 19 Dec 2017 01:16:55 +0900 > - ICMP errors are similar to input, except the search is for the > outbound XFRM state, because the only data that is available is > the outbound SPI. Thus, ICMP errors are only processed if the > ikey is the same as the same as the okey. AFAICS this is > consistent with GRE tunnels, but not with existing VTI > behaviour. I think you will need to sort out the VTI ICMP behavior difference with what exists now.